The first stop on our guided tour of NAC standards is Trusted Network Connect (TNC). TNC is a complete set of standards for NAC, covering each step in the NAC process, from assessment to evaluation and enforcement. Like all good standards, TNC is completely vendor-neutral and open for anyone to implement.
What does this mean concretely? When you buy products that support the TNC standards, you can use a NAC server from one vendor with an enforcement device from another vendor. A NAC client from one vendor can be health checked by a NAC server from another vendor. And you can add assessment and evaluation components from other vendors, plugging those into the NAC client and NAC server.
Sure, that’s cool. But what are the specific customer benefits? First, you avoid vendor lock-in. Proprietary NAC architectures are designed to lock you into one vendor’s products. That way lies madness: single-vendor contracts, high prices, etc. Second, with the TNC standards you can reuse the technology you already have: switches, wireless access points, client security software, etc. There’s no better way to improve ROI than to reuse something you already bought! Finally, you get better security. Open standards go through a rigorous review process that has given us the strongest security available today: AES, TLS, IPsec, etc.
How did TNC come to be? It was developed by the Trusted Computing Group, a consortium of about 175 vendors and customers. The TNC standards were published in 2005 and 2006. Since that time, dozens of products that support the TNC standards have shipped. Hundreds of customers have deployed them. TNC adoption is accelerating, especially since Microsoft announced that TNC support is included in Windows Vista and will be included in Windows XP Service Pack 3. The TNC standards have become the de facto standard for NAC interoperability.
Want to learn more? Check out the presentations, podcasts, and specifications on the TNC web site.
Tags: NAC Standards, TNC, NAC, standards
3 Comments »
RSS feed for comments on this post. TrackBack URL
Hi Steve,
congratulations, this is a very nice blog with some cool topics!
I am a consultant in Germany, and I we use very much juniper-devices. But we use only the firewalls at the moment, so I am very interested in this blog, because the whole nac-thing will become more and more important.
thanks so far
Comment by Ruediger — January 9, 2008 @ 5:00 pm
As you said, TNC is a NAC standard where muli-vendors can interoperate.
“When you buy products that support the TNC standards, you can use a NAC server from one vendor with an enforcement device from another vendor. A NAC client from one vendor can be health checked by a NAC server from another vendor. And you can add assessment and evaluation components from other vendors, plugging those into the NAC client and NAC server”.
But in fact, as far as I see, no one is implementing such standard except Juniper. I’ve never seen and TNC based Controllers, or Agents from other vendors. Ehmm, these is an Open Source dot1x supplicant that tries to implement this standard which is OpenSEA, but so far it’s the only one I know.
Some NAC vendors are saying that their products will interoperate with this standard such as Symantec, and ConSentry. But you know those guys are planning to interoperate with CNAC and MS-NAP. So I think they just miss an end to end network solutions, so they have no other choice but to interoperate with other vendors.
From a technical point of view, I believe that TNC is simple, reliable, and more secure than other non standard NAC flavours. But the point is that this is not enough, other vendors, especially Mr. C and Ms. M are pushing their solutions to be de-fact standard especially that they some how dominate the market. And that’s why TCG has to market and polish TNC a bit more.
Comment by Tarek — January 27, 2008 @ 3:11 am
Yes, a standard is only valuable if lots of people implement it. I completely agree. But you’re wrong about the number of vendors that have implemented the TNC specs. We have dozens of vendors now and four open source implementations. See the list posted on the TCG web site.
You mentioned Microsoft. As I noted in my blog posting above, they have embraced the TNC standards and built them into Windows Server 2008, Windows Vista, and Windows XP SP 3. Customers find that very attractive. They want to be able to health check ANY system using software built into the operating system. The only way that can happen is with open standards like TNC.
Of course, there’s still more work to do. Last spring, we did an interoperability test that included Colubris, Enterasys, HP, Juniper, PatchLink, Q1 Labs, Symantec, Trapeze, and Wave Systems. We tested our products in real-world environments to make sure they work together. This spring, we’ll be adding some new vendors to the mix. And, oh yes, marketing. As a standards group, TCG doesn’t have a big marketing budget. We do our best but it’s always a challenge. Thanks for your support.
Comment by shanna — February 6, 2008 @ 8:42 am